From 4e5b0a8f6e61bf88e39d9f5f9029ee715ab16c7b Mon Sep 17 00:00:00 2001
From: Reto Galante <galante@puzzle.ch>
Date: Wed, 12 Feb 2025 10:14:32 +0100
Subject: [PATCH] add publish to deptrack

---
 ci/main.go  | 39 ++++++++++++++++++++++++++++++++++++---
 dagger.json |  2 +-
 2 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/ci/main.go b/ci/main.go
index ce9bb8fd..4c336045 100644
--- a/ci/main.go
+++ b/ci/main.go
@@ -158,6 +158,25 @@ func (m *Ci) Vulnscan(sbom *dagger.File) *dagger.File {
 	return trivy.Sbom(sbom).Report("json")
 }
 
+// Publish cyclonedx SBOM to Deptrack
+func (m *Ci) PublishToDeptrack(
+	ctx context.Context,
+	// SBOM file
+	sbom *dagger.File,
+	// deptrack address for publishing the SBOM https://deptrack.example.com/api/v1/bom
+	address string,
+	// deptrack API key
+	apiKey *dagger.Secret,
+	// deptrack project UUID
+    projectUUID string,
+) (string, error) {
+	return dag.Container().
+		From("curlimages/curl").
+		WithFile("sbom.json", sbom).
+		WithExec([]string{"curl", "-X", "POST", "-H", "'Content-Type: multipart/form-data'", "-H", fmt.Sprintf("'X-API-Key: %s'", apiKey), "-F", fmt.Sprintf("'project=%s'", projectUUID), "-F", "bom=@sbom.json", address}).
+		Stdout(ctx)
+}
+
 // Sign the published image using cosign
 func (m *Ci) Sign(
 	ctx context.Context,
@@ -232,6 +251,12 @@ func (m *Ci) Ci(
 	registryPassword *dagger.Secret,
 	// registry address registry/repository/image:tag
 	registryAddress string,
+	// deptrack address for publishing the SBOM https://deptrack.example.com/api/v1/bom
+	dtAddress string,
+	// deptrack project UUID
+    dtProjectUUID string,
+    // deptrack API key
+    dtApiKey *dagger.Secret,
 	// ignore linter failures
 	// +optional
 	// +default=false
@@ -246,6 +271,7 @@ func (m *Ci) Ci(
 	digest, err := m.Publish(ctx, image, registryAddress)
 
 	if err == nil {
+		m.PublishToDeptrack(ctx, sbom, dtAddress, dtApiKey, dtProjectUUID)
 		m.Sign(ctx, registryUsername, registryPassword, digest)
 		m.Attest(ctx, registryUsername, registryPassword, digest, sbom, "cyclonedx")
 	}
@@ -271,6 +297,12 @@ func (m *Ci) CiIntegration(
 	registryPassword *dagger.Secret,
 	// registry address registry/repository/image:tag
 	registryAddress string,
+	// deptrack address for publishing the SBOM https://deptrack.example.com/api/v1/bom
+	dtAddress string,
+	// deptrack project UUID
+    dtProjectUUID string,
+    // deptrack API key
+    dtApiKey *dagger.Secret,
 	// ignore linter failures
 	// +optional
 	// +default=false
@@ -339,11 +371,12 @@ func (m *Ci) CiIntegration(
 
 	// After publishing the image, we can sign and attest
 	if err != nil {
-	    return nil, err
+		return nil, err
 	}
 
-    m.Sign(ctx, registryUsername, registryPassword, digest)
-    m.Attest(ctx, registryUsername, registryPassword, digest, sbom, "cyclonedx")
+	m.PublishToDeptrack(ctx, sbom, dtAddress, dtApiKey, dtProjectUUID)
+	m.Sign(ctx, registryUsername, registryPassword, digest)
+	m.Attest(ctx, registryUsername, registryPassword, digest, sbom, "cyclonedx")
 
 	sbomName, _ := sbom.Name(ctx)
 	result_container := dag.Container().
diff --git a/dagger.json b/dagger.json
index f33b70cd..a0d7840c 100644
--- a/dagger.json
+++ b/dagger.json
@@ -1,6 +1,6 @@
 {
   "name": "ci",
-  "engineVersion": "v0.15.2",
+  "engineVersion": "v0.15.3",
   "sdk": "go",
   "dependencies": [
     {